00. Exposing a Rogue Domain Portfolio of Fake News Sites - An Analysis 


We've recently came across to a third-party research indicating a pretty interesting and 


important Iran-based foreign influence and disinformation campaign where we've decided to 
take a deeper look by using Maltego and WhoisXML API for the purpose of offering additional 


insights into the disinformation campaign in terms of it's online infrastructure. 


In this analysis we'll use public campaign sources for the sample data and will offer an in-depth 
peek inside its online infrastructure in terms of using Maltego and WhoisXML API vast real-time 


and historical WHO IS database in terms of offering additional loCs (Indicators of Compromise) 
for the purpose of assisting researchers and vendors on their way to stay on the top of this 


campaign. 


Sample Maltego graph of Historical WHOIS records for the email addresses used in this 


campaign 


Sample Maltego graph of Historical WHOIS records for the email addresses used in this 
campaign 
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Sample domain WHO IS records registrant email know to have participated in the campaign 
including additional related domains known to have participated in the campaign 


Original Set of Fake News Web Sites that we used in the following case study: 
addustuor.com 
al-jazirah.org 
al-shargh.com 
al-watan.co 
alarabyia.org 
alettehad.net 
aliraq-news.com 
aljlazeera.com 
alryiadh.com 
alwatannewspaper.net 
bbc-arabic.com 
belfercenter.net 
bloomberq.com 
braekingisraelnews.com 
breakingisraelnews.net 
brusslestimes.com 
budapestbaecon.com 
bundesergierung.de 
com-news-world.site 
com-users.info 
dawalhaq.com 
daylisabah.com 
democraticcoalition.net 
elwataannews.com 
emaratallyoum.com 
emaratalyuom.com 
foreignpoilcy.com 
foriegnpolicy.net 
haaaretz.com 
indepnedent.co 
israelhayom.net 
israellinarabic.com 
israelnationalnews.co 
israelnationalnews.net 
jerusaleimonline.com 
lesoir.info 
mesralarabiya.com 
mintpressnevvs.com 
nationalepost.com 


policito.com 

sharjah24.co 
shoruknews.com 
speigel.net 
thaguardian.com 
theatlatnic.com 
theglobeandmail.org 
theguaradian.com 
theheraldscotland.com 
thejerusalempost.org 
timesoffisrael.com 
timesofisraeil.com 
waradena.com 
washnigtonexaminer.com 
xn--aljaeera-4t0d.net 
xn--alnaaregypt-cm8e.com 
xn--arab21-6va.com 
xn--c-wpma.com 
xn--emaraalyoum-1b9e.com 
xn--etik-k54a.com 
xn--frace24-mkb.com 
xn--haarez-m17b.com 
xn--huffngtonpost-69b.com 
xn--israelinarabi-ugb.com 
xn--nationmaser-5b9e.com 
xn--ndependent-77a.com 
xn--plitico-d5b.com 
xn--r-2rm.com 
xn--sraelinarabic-29b.com 
xn--telocal-xt3c.com 
xn--theguardan-4ub.com 
xn--theguardia-dq2e.com 
Xn--wa-exs.com 


Ranked by Outgoing Links 


Rank Type Value 

1 Email Address janeverno@gmail.com 

2 Email Address fundacionprivacy@protonmail.com 
3 Email Address domains@theatlantic.com 

4 Email Address gugeky@gmail.com 

5 Email Address PrivateWhoisService@gmail.com 
6 Email Address kern_lali2@aol.com 

7 Email Address jamy.corouk@mail.com 

8 Email Address domains@mbc.net 

9 Email Address ryan.wong86@aol.com 

10 Email Address jack.ferdinand@mail.ee 


Outgoing links 
12 


Associated historical WHOIS registrant email addresses which we obtained using 


WhoisXML API include: 


micheal.stone@mail.ee 
domains@mbc.net 
scott.j.watson@mail.com 
terrymills23@mail.com 
janeverno@gmail.com 
ted.turner@mail.ee 
wilson.brown.flower@mail.com 
matthew.carson@mail.ee 
jamy.corouk@mail.com 
alex.junior.1993@mail.ee 
john.edwardtaylor@aol.com 
fundacionprivacy@protonmail.com 
akassam3@bloomberg.net 

andrew. breitbart.huffingtonpost@mail.com 
abi.aliyev@mail.ee 
daniel.mamishga@mail.ee 
johnson.marry.145@yandex.com 
ckelly11@email.com 
scottwatson2017@yandex.com 
barak.may.1985@gmail.com 
edward2kerry2@gmail.com 
domains@theatlantic.com 
gugeky@gmail.com 
ryan.wong86@aol.com 
ckelly18@mail.com 
jackson.mariani@mail.ee 
mela.eddie@mail.ee 
PrivateWhoisService@gmail.com 


Jamal.Nasser.al.Suwaider@aol.com 
1583926482@qq.com 

m.son1 @btclick.com 
snow48059@gmail.com 
john.p.patterson@mail.com 
luke.metcalfe@email.com 
kern_lali2@aol.com 
john.patterson2@mail.com 
leonardo.snow@mail.ee 
jack.ferdinand@mail.ee 


xn--alnaaregypt-cm8e.com 
xn--emaraalyoum-1b9e.com 
xn--plitico-d5b.com 
xn--sraelinarabic-29b.com 


Responding IPs for the original fake news domains used in this analysis: 


192.0.78.131 
192.0.78.25 
192.0.78.24 
104.28.11.231 
104.28.10.231 


alarabiya.fm 
atlantic-media.us 
bael.net 
calvienklien.us 
createandhelp.com 


dowehaveapresidentyet.com 


excutiveplanet.com 
filmsix.com 
getconquest.net 
hibatub.com 
icydiaapp.net 
internetbimbos.com 
kimukatsu.su 
kuncontriwordper.ga 
mendocino.us 
mineraltablets.com 
paekdetrout.us 
pdfimg.net 
photomillz.net 
protecteur.net 
rilenews.com 
sedwickcms.com 
shoppercritique.com 
theatlantic100.com 
theatlanticfestival.com 
theatlanticonline.net 
thenextamerica.com 
townjewelers.com 
tricexinspeedar.cf 
washingtonideas.net 
wk4u.net 
xn--aljaeera-4t0d.net 
xn--arab21-6va.com 


xn--ndependent-77a.com 


xn--r-2rm.com 
xn--telocal-xt3c.com 


34.253.74.38 
204.74.99.103 
184.168.221.39 
192.184.12.62 
103.224.182.231 
122.10.109.175 
15.164.83.206 
127.0.0.1 
104.149.84.10 
68.65.122.53 
104.18.44.114 
162.0.209.133 
104.18.45.114 
198.54.116.249 
162.0.232.29 
198.54.114.158 
198.54.114.236 
198.54.116.189 
198.54.114.178 
94.229.72.116 
5.79.68.103 
5.79.68.102 
91.195.240.117 
35.170.15.192 
103.224.182.244 
54.173.170.123 
95.211.75.26 
103.224.212.220 
94.229.72.124 
18.214.196.255 
199.115.116.162 
54.89.39.4 
3.224.251.2 
34.198.220.199 
52.44.210.121 
54.157.54.26 
52.5.159.58 
165.160.13.20 
165.160.15.20 
200.74.241.181 
141.8.225.237 
66.96.162.135 
209.99.64.53 
192.64.119.138 


209.99.64.52 
96.126.123.244 
45.79.19.196 
18.210.84.46 
54.164.166.196 
100.25.88.74 
45.56.79.23 
45.33.23.183 
45.33.2.79 
198.58.118.167 
107.20.93.104 
3.81.194.60 
3.212.56.10 
198.54.117.200 
198.54.117.198 
198.54.117.199 
198.54.117.197 
181.214.86.147 
198.54.114.232 
66.96.147.102 
200.63.47.3 
184.168.131.241 
89.35.39.67 
89.35.39.50 
209.222.14.3 
89.35.39.65 
66.96.147.105 
46.166.182.63 
109.201.135.71 
96.47.230.68 
108.61.19.12 
66.96.147.118 
27.255.77.73 
91.195.240.89 
109.201.135.44 
108.61.19.11 
198.187.29.30 
108.61.19.14 
109.201.135.65 
109.201.135.46 
46.166.182.62 
199.188.200.137 
185.148.144.161 
84.200.110.123 


176.9.12.95 
104.27.145.234 
104.27.144.234 
3.82.255.185 
54.84.152.54 
52.70.228.152 
34.199.133.187 
104.24.110.145 
104.24.111.145 
185.148.144.3 
34.201.78.188 
34.199.173.190 
35.169.84.63 
52.73.174.43 
213.247.47.190 
34.200.200.95 
3.94.104.205 
173.239.8.164 
173.239.5.6 
52.73.179.54 
52.22.89.169 
209.99.40.222 
23.20.239.12 
54.165.193.163 
52.86.122.241 
54.208.56.179 
209.99.40.223 
207 .244.67.139 
37.48.65.151 
207 .244.67.215 
37.48.65.150 
185.107.56.60 
185.107.56.59 
37.48.65.148 
162.210.195.122 
5.79.68.107 
5.79.68.110 
207 .244.67.216 
207 .244.67.214 
198.50.224.232 
141.8.224.169 
104.219.248.118 
52.0.217.44 
198.54.115.79 


66.96.147.106 
81.17.18.195 
162.210.196.173 
162.210.196.171 
81.17.18.197 
94.229.72.123 
94.229.72.125 
94.229.72.122 
94.229.72.117 
198.54.126.127 
94.229.72.119 
34.98.99.30 
37.48.65.145 
108.59.12.98 
5.79.79.212 
108.59.12.100 
5.79.79.210 
108.59.12.101 
108.59.12.99 
96.47.230.70 
5.79.79.209 
5.79.79.211 
199.115.115.118 
104.18.40.45 
104.18.41.45 
63.143.32.91 
81.17.18.194 
192.187.111.221 
67.225.208.62 
198.54.126.125 
81.17.18.196 
192.187.111.222 
192.187.111.220 
192.187.111.219 
104.24.109.98 
199.188.200.223 
198.54.126.126 
198.54.116.16 
107.161.23.204 
192.161.187.200 
209.141.38.71 
209.126.123.12 
72.52.179.174 
51.75.69.104 


78.41.204.26 
78.41.204.31 
78.41.204.39 
209.126.123.111 
78.41.204.34 
209.126.123.13 
69.43.161.175 
23.82.12.30 
104.27.143.8 
104.27.142.8 
63.143.32.89 
212.32.237.92 
23.82.12.31 
23.82.12.32 
23.82.12.29 
74.63.241.24 
192.0.78.245 


Rank Type 

Email Address 
Email Address 
Email Address 
Email Address 
Email Address 
Email Address 
Email Address 
Email Address 
Email Address 
Email Address 
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Ranked by Outgoing Links 


Value 


domains@mbc.net 


terrymills23@mail.com 


janeverno@gmail.com 


fundacionprivacy@protonmail.com 
domains@theatlantic.com 


1583926482@qq.com 


akassam3@bloomberg.net 


ckelly18@mail.com 


john.edwardtaylor@aol.com 
jamy.corouk@mail.com 


Outgoing links 


Historical WHOIS domains known to have been registered using the same email 


addresses: 


sedwickcms.com 
fhantasy.com 
paintedties.com 
westernstateglass.com 
shoppercritique.com 
16wmpo.com 
solutions-manual.net 
protecteur.net 
duplincountyschools.net 
pdfimg.net 


bael.net 

photomillz.net 
rilenews.com 
free-flash-game.net 
getconquest.net 

wk4u.net 
hotel-laplantation-nosybe.com 
filmsix.com 
townjewelers.com 
selvatv.com 
relaxinnfortmyersfl.com 
lifeasawave.net 
antiguaseaviewrooms.com 
icydiaapp.net 
createandhelp.com 
iptvdaily.net 
wwcvshealthsurvey.com 
imobfort.com 

hibatub.com 
xn--alnaaregypt-cm8e.com 
xn--plitico-d5b.com 
xn--emaraalyoum-1b9e.com 
xn--telocal-xt3c.com 
xn--ndependent-77a.com 
xn--aljaeera-4t0d.net 
brusslestimes.com 
calvienklien.us 
mfreestyle.us 
paekdetrout.us 
koleotfetyh.ml 
tricexinspeedar.cf 
tressiocoldolas.tk 
kuncontriwordper.ga 
chirola0000.tk 
philippinesand.us 
xn--r-2rm.com 
kimukatsu.su 
xn--arab21-6va.com 
prostatkarenajarang.ml 
xn--sraelinarabic-29b.com 
miraculousiIm.ml 

usport.us 

alarabiya.fm 
washingtonideas.net 


theatlanticcitie.com 
atlantic-media.us 
theatlanticwire.com 
atlanticmonthly.com 
theatlanticnetwork.net 
theatlanticonline.net 
thenextamerica.com 
mineraltablets.com 
deluxecheckprinter.com 
internetbimbos.com 
herbseasonings.com 
theatlantic100.com 
dowehaveapresidentyet.com 
mendocino.us 
thewire.com 
scottishstew.com 
theatlanticfestival.com 
excutiveplanet.com 


Related historical domains known to have been registered using the same email 
addresses: 


alarabiya.net 
theglobeandmail.org 
xn--mgbaj5b8dmn.com 
foriegnpolicy.net 
xn--mgbagc0a8a3f2c.net 
xn-----4sdnOdyfpbc.net 
nationalepost.com 

usport.us 

menaapc.net 
xn--mgbaaid5a3bygqa0e.com 
xn----ymcabfg8cm1dxeya7b8a.com 
brusslestimes.com 
xn----ymcabfg8cm1dxeya7b8a.net 
xn--mgbaj5b8dmn.net 
mbc-radio.com 
xn--mgbaaid5a3bygqa0e.net 
theatlantic.com 
theatlatnic.com 
atlanticmonthly.com 
theatlanticnetwork.net 
atlantic-media.us 
theatlanticwire.com 


theatlantic100.com 
dowehaveapresidentyet.com 
theatlanticonline.net 
washingtonideas.net 
amstrat-stage.com 
theatlanticcitie.com 
groupon.one 
xn--ealto-prcf.com 
xn--wied-6cc.com 
xn--eutes-prce.com 
tesols.net 

tesols.org 
xn--bloombeg-m0d.com 
tesols.co 

tesols.ca 

tesols.me 
confessing.net 
nicedrug.com 
relaxinnfortmyersfl.com 
antiguaseaviewrooms.com 
tesols.xyz 
statefrmbank.com 
duplincountyschools.net 
bael.net 
fatfreehost.com 

q03.net 

meage.com 
vietnamjets.com 
policereporting.com 
16wmpo.com 
rilenews.com 
free-flash-game.net 
getconquest.net 
photomillz.net 
lifeasawave.net 
xn--telocal-xt3c.com 
icydiaapp.net 
xn--ndependent-77a.com 
wk4u.net 
solutions-manual.net 
protecteur.net 
pdfimg.net 
xn--plitico-d5b.com 
speigel.net 


shoruknews.com 
aljlazeera.com 
com-users.info 
com-news-world.site 
jerusaleimonline.com 
thejerusalempost.org 
israelnationalnews.co 
xn--r-2rm.com 
xn--arab21-6va.com 
xn--sraelinarabic-29b.com 
xn--wa-exs.com 
xn--nationmaser-5b9e.com 
al-jazirah.org 
dawalhaq.com 
wanboyule426.com 
tittiebear.com 
xn--theguardan-4ub.com 
indepnedent.co 
bucktoothbunny.com 
erzemakina.com 
tinchersribs.com 
mintpressnevvs.com 
tv-wire.com 
wanboyule416.com 
nicholas-brian.com 
edf9994.com 
al-shargh.com 
jcfconsulting.com 
daylisabah.com 
addustuor.com 
aliraq-news.com 
wanboxs.com 
waradena.com 
hmmphotography.com 
emaratallyoum.com 
elwataannews.com 
bloombergstock.com 
bloomberg.pw 
bloombergutv.live 
japanbusinessweek.com 
bloombergvn.com 
xn--aljaeera-4t0d.net 
bloomberg-com.com 
bloombergtower.com 


bloomberq.com 
vrbloomberg.com 
bloombergconsultancy.com 
bloomberginteractive.com 
xn--huffngtonpost-69b.com 
alryiadh.com 

sharjah24.co 
bbc-arabic.com 
timesoffisrael.com 
policito.com 
democraticcoalition.net 
budapestbaecon.com 
breakingisraelnews.net 
israellinarabic.com 
xn--theguardia-dq2e.com 
xn--haarez-m17b.com 
xn--frace24-mkb.com 
mesralarabiya.com 
alarabyia.org 
xn--c-wpma.com 
xn--alnaaregypt-cm8e.com 
xn--emaraalyoum-1b9e.com 
xn--israelinarabi-ugb.com 
haaaretz.com 
alettehad.net 


We'll continue monitoring for similar foreign influence and disinformation campaigns using 
Maltego and WhoisXML API' vast database of real-time and historical WHO IS records including 
to look for additional clues in terms of related domains and related typosquatiing activity and will 
post updates as soon as new developments take place. 


